1mount_selinux(8)             SELinux Policy mount             mount_selinux(8)
2
3
4

NAME

6       mount_selinux - Security Enhanced Linux Policy for the mount processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the mount processes via flexible manda‐
10       tory access control.
11
12       The mount processes execute with the  mount_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep mount_t
19
20
21

ENTRYPOINTS

23       The mount_t SELinux type can be entered via  the  mount_exec_t,  fuser‐
24       mount_exec_t file types.
25
26       The default entrypoint paths for the mount_t domain are the following:
27
28       /bin/mount.*,     /bin/umount.*,     /sbin/mount.*,     /sbin/umount.*,
29       /usr/bin/mount.*,         /usr/bin/umount.*,         /usr/sbin/mount.*,
30       /usr/sbin/umount.*, /bin/fusermount, /usr/bin/fusermount
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       mount  policy is very flexible allowing users to setup their mount pro‐
40       cesses in as secure a method as possible.
41
42       The following process types are defined for mount:
43
44       mount_t, mount_ecryptfs_t
45
46       Note: semanage permissive -a mount_t can be used to  make  the  process
47       type  mount_t  permissive.  SELinux  does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy  is customizable based on least access required.  mount
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate the policy and run mount with the tightest access possible.
56
57
58
59       If you want to allow the mount commands to mount any directory or file,
60       you must turn on the mount_anyfile boolean. Disabled by default.
61
62       setsebool -P mount_anyfile 1
63
64
65
66       If you want to allow users to resolve user passwd entries directly from
67       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
68       gin_nsswitch_use_ldap boolean. Disabled by default.
69
70       setsebool -P authlogin_nsswitch_use_ldap 1
71
72
73
74       If you want to deny user domains applications to map a memory region as
75       both  executable  and  writable,  this  is dangerous and the executable
76       should be reported in bugzilla, you must turn on the deny_execmem bool‐
77       ean. Enabled by default.
78
79       setsebool -P deny_execmem 1
80
81
82
83       If you want to allow all domains to execute in fips_mode, you must turn
84       on the fips_mode boolean. Enabled by default.
85
86       setsebool -P fips_mode 1
87
88
89
90       If you want to allow confined applications to run  with  kerberos,  you
91       must turn on the kerberos_enabled boolean. Disabled by default.
92
93       setsebool -P kerberos_enabled 1
94
95
96
97       If  you  want  to control the ability to mmap a low area of the address
98       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
99       the mmap_low_allowed boolean. Disabled by default.
100
101       setsebool -P mmap_low_allowed 1
102
103
104
105       If  you  want  to  allow  system  to run with NIS, you must turn on the
106       nis_enabled boolean. Disabled by default.
107
108       setsebool -P nis_enabled 1
109
110
111
112       If you want to allow confined applications to use nscd  shared  memory,
113       you must turn on the nscd_use_shm boolean. Disabled by default.
114
115       setsebool -P nscd_use_shm 1
116
117
118
119       If  you  want  to  disable  kernel module loading, you must turn on the
120       secure_mode_insmod boolean. Enabled by default.
121
122       setsebool -P secure_mode_insmod 1
123
124
125
126       If you want to allow unconfined executables to make their  heap  memory
127       executable.   Doing  this  is  a  really bad idea. Probably indicates a
128       badly coded executable, but could indicate an attack.  This  executable
129       should   be   reported  in  bugzilla,  you  must  turn  on  the  selin‐
130       uxuser_execheap boolean. Disabled by default.
131
132       setsebool -P selinuxuser_execheap 1
133
134
135
136       If you want to allow unconfined executables to make  their  stack  exe‐
137       cutable.   This  should  never, ever be necessary. Probably indicates a
138       badly coded executable, but could indicate an attack.  This  executable
139       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
140       stack boolean. Disabled by default.
141
142       setsebool -P selinuxuser_execstack 1
143
144
145

PORT TYPES

147       SELinux defines port types to represent TCP and UDP ports.
148
149       You can see the types associated with a port  by  using  the  following
150       command:
151
152       semanage port -l
153
154
155       Policy  governs  the  access  confined  processes  have to these ports.
156       SELinux mount policy is very flexible allowing  users  to  setup  their
157       mount processes in as secure a method as possible.
158
159       The following port types are defined for mount:
160
161
162       mountd_port_t
163
164
165
166       Default Defined Ports:
167                 tcp 20048
168                 udp 20048
169

MANAGED FILES

171       The SELinux process type mount_t can manage files labeled with the fol‐
172       lowing file types.  The paths listed are the default  paths  for  these
173       file types.  Note the processes UID still need to have DAC permissions.
174
175       file_type
176
177            all files on the system
178
179

FILE CONTEXTS

181       SELinux requires files to have an extended attribute to define the file
182       type.
183
184       You can see the context of a file using the -Z option to ls
185
186       Policy governs the access  confined  processes  have  to  these  files.
187       SELinux  mount  policy  is  very flexible allowing users to setup their
188       mount processes in as secure a method as possible.
189
190       STANDARD FILE CONTEXT
191
192       SELinux defines the file context types for the mount, if you wanted  to
193       store  files  with  these types in a diffent paths, you need to execute
194       the semanage command  to  sepecify  alternate  labeling  and  then  use
195       restorecon to put the labels on disk.
196
197       semanage   fcontext  -a  -t  mount_ecryptfs_tmpfs_t  '/srv/mymount_con‐
198       tent(/.*)?'
199       restorecon -R -v /srv/mymount_content
200
201       Note: SELinux often uses regular expressions  to  specify  labels  that
202       match multiple files.
203
204       The following file types are defined for mount:
205
206
207
208       mount_ecryptfs_exec_t
209
210       - Set files with the mount_ecryptfs_exec_t type, if you want to transi‐
211       tion an executable to the mount_ecryptfs_t domain.
212
213
214       Paths:
215            /usr/sbin/mount.ecryptfs,               /usr/sbin/umount.ecryptfs,
216            /usr/sbin/mount.ecryptfs_private,   /usr/sbin/umount.ecryptfs_pri‐
217            vate
218
219
220       mount_ecryptfs_tmpfs_t
221
222       - Set files with the mount_ecryptfs_tmpfs_t type, if you want to  store
223       mount ecryptfs files on a tmpfs file system.
224
225
226
227       mount_exec_t
228
229       -  Set  files  with the mount_exec_t type, if you want to transition an
230       executable to the mount_t domain.
231
232
233       Paths:
234            /bin/mount.*,   /bin/umount.*,   /sbin/mount.*,    /sbin/umount.*,
235            /usr/bin/mount.*,       /usr/bin/umount.*,      /usr/sbin/mount.*,
236            /usr/sbin/umount.*
237
238
239       mount_loopback_t
240
241       - Set files with the mount_loopback_t type, if you want  to  treat  the
242       files as mount loopback data.
243
244
245
246       mount_tmp_t
247
248       -  Set files with the mount_tmp_t type, if you want to store mount tem‐
249       porary files in the /tmp directories.
250
251
252
253       mount_var_run_t
254
255       - Set files with the mount_var_run_t type, if you  want  to  store  the
256       mount files under the /run or /var/run directory.
257
258
259       Paths:
260            /run/mount(/.*)?,     /dev/.mount(/.*)?,     /var/run/mount(/.*)?,
261            /var/run/davfs2(/.*)?, /var/cache/davfs2(/.*)?
262
263
264       Note: File context can be temporarily modified with the chcon  command.
265       If  you want to permanently change the file context you need to use the
266       semanage fcontext command.  This will modify the SELinux labeling data‐
267       base.  You will need to use restorecon to apply the labels.
268
269

COMMANDS

271       semanage  fcontext  can also be used to manipulate default file context
272       mappings.
273
274       semanage permissive can also be used to manipulate  whether  or  not  a
275       process type is permissive.
276
277       semanage  module can also be used to enable/disable/install/remove pol‐
278       icy modules.
279
280       semanage port can also be used to manipulate the port definitions
281
282       semanage boolean can also be used to manipulate the booleans
283
284
285       system-config-selinux is a GUI tool available to customize SELinux pol‐
286       icy settings.
287
288

AUTHOR

290       This manual page was auto-generated using sepolicy manpage .
291
292

SEE ALSO

294       selinux(8),  mount(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
295       icy(8),            setsebool(8),             mount_ecryptfs_selinux(8),
296       mount_ecryptfs_selinux(8)
297
298
299
300mount                              19-12-02                   mount_selinux(8)
Impressum